Online email accounts and https

Today I noticed something with my Yahoo! email account that somehow escaped my attention all this time. The URL did not start with https but was just plain old http.

I think even those who are not very net/tech savvy would know that https:// implies ” fairly safe” – i.e. safe as in the information you enter in a web-page with it (e.g. your password, credit-card information while purchasing) is less likely to be “eaves-dropped upon”. For a technical explanation as to why this is so you can read this wiki page.

Now, the question that burns in me today is why is https not being used for online email accounts – particularly, when a secure https connection is so prevalent nowadays. I have a Yahoo!, and a gmail account, and from what I can tell, both are not using https based addresses for the web-pages that display my personal emails. Both do use https based address for the login page, which is good, as there is protection for your userid and password.

But why not for the other pages? Perhaps this some sort of a resource limit issue as I can imagine a https based web page could take more resources on the server.

Or I am missing something and it is really https through out? I hope so.

If not, it is unnerving to realize that all the content of my personal emails is being exchanged between the server and my browser unencrypted i.e. “in the clear”. This can include sensitive information. For example, your bank sent your userid and password information when you told them you forgot (although here password is temporary).

Worse, you are one of those who sends yourself a “reminder email” that lists some of the userid, passwords for the various different sites you are registered with – so that you just need to remember you email account userid and password, read this email and voila! All the information is “readily accessible”! Well, the problem is, every time you refer to that particular email, this readily accessible, sensitive information would being exchanged “in the clear”. A “packet sniffer” out there on behalf of an identity thief could potentially sniff it out – I would guess these are the things they generally are sniffing for.

Now, admittedly this could be argued as “poor and careless” use of online email accounts. However, shouldn’t we also ask – why isn’t all our online email access always https based? When we are in the middle (and no longer dawn) of the internet age, when just about everyone has at least one online email account, when online email access is more often used as online purchase, why don’t these online email services make it as safe as online purchases?

I hope I am wrong and they are indeed secure.

Update: Looks like this article deals with the subject and confirms my fears w.r.t Yahoo! mail, but allays my fears for gmail. To quote from the article:

“A secure connection to Gmail is available at httpS://gmail.google.com … Yahoo Mail! transmits your login information in the background to an https page, but you can click on the “Secure” link to reach an https page to log into Yahoo! Mail first. Once you’re logged in, sending and receiving your email happens over an insecure connection.”

Share this:

Like this:

Related

16 Responses to “Online email accounts and https”

Arun, I’m no expert but here is how I can assure you that your emails are safe:

A normal http connection uses port 80 which is unsecured, i.e. all information flowing in and out can be potentially hacked. However, https connection is on a specific TCP port requested by the website. This is just one of the security features of https.

https will authenticate you when you enter your username and password for accessing email (or any portal that requires secured login). The web admin creates a certificate dedicated to every user and this is unique – based on your email+pwd. Now, unless your info is known to others, nobody can break thru this authentication.

Once you are IN, its a private party already. You have opened the lock on main door, and there is no need to have a lock on each room in your house 😉

hmm…quite an interesting post.. never thought abt things like that.. infact to be honest i dint know the difference u mentioned between http and https..
and i see wordpress login page with http
so thats not safe and secure ..is it ??

Thanks arvind and welcome! Basically if you are entering sensitive information online (e.g. bank account #, credit card # etc.), then make sure the webpage address starts with https:// or perhaps more reliably, there is a lock icon in the bottom right of your browser. If not, do not give out sensitive info on that page!

Now for web based emails (although one would think this is mainly privacy), since most communication in the west – even “official” ones (as in dealing with banks, utility companies) are via email, out email folders do contain equally sensitive info. So IMO, it would “safest” if the online email access is entirely secure.

WordPress – yes it is not secure. Means your username and password is sent in clear. Now is it very dangerous? May be not – for one at worst your blog gets hacked, and that is only if someone wanted to do it. Generally I would think, those kinds look for bigger kills.

Arun,
I had never noticed this until today. Yahoo transmits only the login and password through https (if you do a view source of the login page) but as you say the emails contents are out there for sniffers to see.I guess when yahoo started out as a free email service they did not anticipate google’s entry and perhaps thought it best to provide minimal security in a free service. Yahoo’s business email which is relatively new does use SSL through out.

That being said, google’s documents service do not seem to be using https so that is something to be aware of when working on sensitive documents on google docs. Finally a determined hacker who works long and hard enough can still manage to decrypt information sent over SSL.

Interesting post. I had the exact same thought and Googled “Yahoo! E-mail Security https” and found your post. I’m walking away from this thinking that I somehow need to be really careful what e-mail I read!

Arun: Thanks! I guess it sort of depends on our individual state of mind i.e. level of paranoia. I dont know the odds of something bad happening due to this is – I figure it is still low. But it does make it “more easily possible” compared to https – where “more” is the operative word.

Paranoia is not the right term.Ignorance is more apt.Hacking is evolved right now.The more we use web 2.0 technologies the possibility of getting hacked is more.Strong passwords using password managers and using SSL so be taken more seriously.The web 2.0 user must also evolve.Else he will end up paying a heavy price.

of course like your web site however you need to test the spelling
on quite a few of your posts. A number of them
are rife with spelling problems and I to find it very troublesome
to tell the reality on the other hand I will definitely come back again.

Great beat ! I would like to apprentice while
you amend your website, how could i subscribe for a blog web site?
The account helped me a acceptable deal. I had been tiny bit acquainted of this
your broadcast offered bright clear concept